http://securityreason.com/achievement_securityalert/55 http://securityreason.com/achievement_securityalert/54
Hijacking this bug for all the other security-related bug fixes. -r2 will hit the tree in the near future (maybe it'll take a few days), containing these fixes: #1 safe_mode bypass by prepending http:// to paths (see initial description of this bug + securityreason advisories) #2 Bug 221969 (insecure c-client api calls allow for buffer overflows) This IMO allows for local code execution (as such bypassing safe_mode etc.) and maybe eben remote code execution when processing specially-crafted mails. #3 Crash in stream_context_set_params() http://bugs.php.net/44712 #4 Crash in class PDORow Commit msg: "Add check for avoid segfault when trying instantiate PDORow manually" #5 Crash (double free) in Dom->setAttributeNode http://bugs.php.net/45251 Commit msg: "fixed bug #45251 (double free or corruption with setAttributeNode())" #6 Crash in array functions under certain circumstances http://bugs.php.net/45312 Commit msg: "Fixed bug #45312 (Segmentation fault on second request for array functions)" Only #2 looks a bit more serious to me, the others are just crashes or safe_mode bypasses. There is no fix for issue #1, I'll bug upstream...
JFYI, issue #1 does not seem to be reproducible when enabling safe_mode via CLI (i.e. php -d safe_mode=on). It seems to work as expected in this case. If you want to reproduce it, use real files. :)
Ignore comment #1, we'll handle the other issues in bug 230575. Initial issue still unfixed, I've got a patch which needs some testing and an OK from upstream.
I proposed two patches and have further discussed this issue with Felipe Pena from upstream. My fix got committed [1], so I'm going to include it in our next patchset revision. I'll wait some days to see if this causes some unwanted false positive safe_mode warnings though. [1] http://news.php.net/php.cvs/51348
Updating whiteboard.
GLSA 200811-05, thanks everyone, especially hoffie.